Description of problem: Looks like a new selinux policy was pushed with RHEL6.2, which keeps /usr/lib64/nagios/plugins/check_disk from reading disk status on /boot, giving the following error: DISK CRITICAL - /boot is not accessible: Permission denied the disk check I am using is: command[check_boot]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /boot Version-Release number of selected component (if applicable): nagios-plugins-disk-1.4.14-4.el6.x86_64 RHEL 6.2 (latest) How reproducible: All the time. Steps to Reproduce: 1.Update to RHEL 6.2 from RHEL6.1 in selinux enforcing mode. 2. watch the /boot check fail 3. 'setenforce 0' and it starts working again Actual results: DISK CRITICAL - /boot is not accessible: Permission denied Expected results: The /boot check to succeed. Additional info: I generated the following selinux policy which fixes the issue, it can probably be cleaned up a bit: ------------- module nrpe_check_disk 1.0; require { type nrpe_t; type nagios_checkdisk_plugin_t; type boot_t; class process { siginh noatsecure rlimitinh }; class tcp_socket { read write }; class dir getattr; } #============= nagios_checkdisk_plugin_t ============== allow nagios_checkdisk_plugin_t boot_t:dir getattr; allow nagios_checkdisk_plugin_t nrpe_t:tcp_socket { read write }; #============= nrpe_t ============== allow nrpe_t nagios_checkdisk_plugin_t:process { siginh rlimitinh noatsecure }; ------------ I had to enable logging of all denied selinux policies to get: type=1400 audit(1325539329.240:9795): avc: denied { read write } for pid=23107 comm="check_disk" path="socket:[12409604]" dev=sockfs ino=12409604 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=unconfined_u:system_r:nrpe_t:s0 tclass=tcp_socket type=1400 audit(1325539329.240:9796): avc: denied { rlimitinh } for pid=23107 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process type=1400 audit(1325539329.240:9797): avc: denied { siginh } for pid=23107 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process type=1400 audit(1325539329.240:9798): avc: denied { noatsecure } for pid=23107 comm="check_disk" scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tclass=process type=1400 audit(1325539329.241:9799): avc: denied { getattr } for pid=23107 comm="check_disk" path="/boot" dev=vda1 ino=2 scontext=unconfined_u:system_r:nagios_checkdisk_plugin_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir
Unfortunately, adding boot_t:dir getattr access will only solve this problem for /boot. The reason for the AVC denial is that check_disk will call stat() on every mount point specified via its internal stat_path() function. For local file systems this isn't really needed if all you want to do is to check for disk size. I tweaked the check_disk.c code to skip stat_path() by default and that appears to work fine, but there apparently are cases when you do want to use stat(). To test the full effects of SELinux on check_disk, use a line with command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% and check_disk will traverse all mount points and get an AVC denials on stat() on quite a few depending on your setup.
we also have bz#768055 open to come at this from selinux-policy side of things in RHEL6.
Same type off issue on el7
nagios-plugins-2.1.4-5.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4e77054bfa
nagios-plugins-2.1.4-5.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4e77054bfa
nagios-plugins-2.1.4-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b820953367
nagios-plugins-2.1.4-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-994c77a4cd
nagios-plugins-2.1.4-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-994c77a4cd
nagios-plugins-2.2.0-3.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5d813cd00d
nagios-plugins-2.2.0-4.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b0accaba31
nagios-plugins-2.2.0-4.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b0accaba31
nagios-plugins-2.2.0-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4a502a08b4
nagios-plugins-2.2.0-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4a502a08b4
nagios-plugins-2.2.0-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1623674064
nagios-plugins-2.2.0-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1623674064
nagios-plugins-2.2.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-306cbf64b0
nagios-plugins-2.2.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.